diff --git a/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md b/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md index 8032ebd2b8..8d7ac84d6e 100644 --- a/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md +++ b/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md @@ -67,10 +67,12 @@ This table includes all available attributes/elements for the **Log** element. T |Application |String |The AppLocker identity for the app where the audit event happened. | ### Examples + Here are a few examples of responses from the Reporting CSP. #### File ownership on a file is changed from work to personal -``` + +```xml 110SyncHdr200212Replace200314Get200414./Vendor/MSFT/Reporting/EnterpriseDataProtection/RetrieveByTimeRange/Logsxml @@ -84,7 +86,8 @@ Here are a few examples of responses from the Reporting CSP. ``` #### A work file is uploaded to a personal webpage in Edge -``` + +```xml 110SyncHdr200212Replace200314Get200414./Vendor/MSFT/Reporting/EnterpriseDataProtection/RetrieveByTimeRange/Logsxml @@ -101,7 +104,8 @@ Here are a few examples of responses from the Reporting CSP. ``` #### Work data is pasted into a personal webpage -``` + +```xml 110SyncHdr200212Replace200314Get200414./Vendor/MSFT/Reporting/EnterpriseDataProtection/RetrieveByTimeRange/Logsxml @@ -118,7 +122,8 @@ Here are a few examples of responses from the Reporting CSP. ``` #### A work file is opened with a personal application -``` + +```xml 110SyncHdr200212Replace200314Get200414./Vendor/MSFT/Reporting/EnterpriseDataProtection/RetrieveByTimeRange/Logsxml @@ -137,7 +142,8 @@ Here are a few examples of responses from the Reporting CSP. ``` #### Work data is pasted into a personal application -``` + +```xml 110SyncHdr200212Replace200314Get200414./Vendor/MSFT/Reporting/EnterpriseDataProtection/RetrieveByTimeRange/Logsxml @@ -154,22 +160,26 @@ Here are a few examples of responses from the Reporting CSP. ``` ## Collect WIP audit logs by using Windows Event Forwarding (for Windows desktop domain-joined devices only) + Use Windows Event Forwarding to collect and aggregate your WIP audit events. You can view your audit events in the Event Viewer. **To view the WIP events in the Event Viewer** + 1. Open Event Viewer. 2. In the console tree under **Application and Services Logs\Microsoft\Windows**, click **EDP-Audit-Regular** and **EDP-Audit-TCB**. ## Collect WIP audit logs using Azure Monitor + You can collect audit logs using Azure Monitor. See [Windows event log data sources in Azure Monitor.]() **To view the WIP events in Azure Monitor** + 1. Use an existing or create a new Log Analytics workspace. 2. In **Log Analytics** > **Advanced Settings**, select **Data**. In Windows Event Logs, add logs to receive: - ``` + ```console Microsoft-Windows-EDP-Application-Learning/Admin Microsoft-Windows-EDP-Audit-TCB/Admin ``` @@ -191,11 +201,12 @@ Install Microsoft Monitoring Agent to WIP devices using Workspace ID and Primary 7. To search for logs, go to **Log Analytics workspace** > **Logs**, and type **Event** in search. ***Example*** -``` + +```console Event | where EventLog == "Microsoft-Windows-EDP-Audit-TCB/Admin" ``` ## Additional resources - [How to deploy app via Intune](/intune/apps-add) - [How to create Log workspace](/azure/azure-monitor/learn/quick-create-workspace) -- [How to use Microsoft Monitoring Agents for Windows](/azure/azure-monitor/platform/agents-overview) \ No newline at end of file +- [How to use Microsoft Monitoring Agents for Windows](/azure/azure-monitor/platform/agents-overview)